10 replies to this topic

[leonkun]

Hi...My malware bytes will not scan...it gives an error saying "windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item." My McAfee virus scan will not work either.
I tried superanti-spyware and it ran 1 time and found "trojan dropper/sys-nv" and "trojan agent/ gen-small dropper"...I followed the instructions and tried to quarantine these items, but when I restarted my computer, it came back up with "RUNDLL error loading tapi.nfo"...then the superanti-spyware will not work anymore...my internet works fine other than the google redirect. Please help!!

Hijack would freeze during scan, so i have provided a gmer log

GMER 1.0.15.15077 [9537l9ty.exe] - http://www.gmer.net
Rootkit scan 2009-09-04 17:35:53
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xEEEA9BCE]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xEEEA9CBC]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xEEEA9B32]
SSDT \??\C:\windows\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xEEFF76D0]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\F26D7496.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [328] 0x35670000
Library \\?\globalroot\Device\__max++>\F26D7496.x86.dll (*** hidden *** ) @ C:\windows\system32\winlogon.exe [664] 0x35670000
Library \\?\globalroot\Device\__max++>\F26D7496.x86.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [936] 0x35670000
Library \\?\globalroot\Device\__max++>\F26D7496.x86.dll (*** hidden *** ) @ C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe [1092] 0x35670000
Library \\?\globalroot\Device\__max++>\F26D7496.x86.dll (*** hidden *** ) @ C:\windows\System32\svchost.exe [1104] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@
Reg HKLM\SOFTWARE\Classes\Installer\Features\5F5A11986A6013941B391EBFE0AC3F27
Reg HKLM\SOFTWARE\Classes\Installer\Features\5F5A11986A6013941B391EBFE0AC3F27@DefaultFeature
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27@ProductName Exterminate3
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27@PackageCode 92348208B3C0AAC4AA9A30A4FAA54D27
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27@Language 1033
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27@Version 16777216
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27@Assignment 1
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27@AdvertiseFlags 388
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27@InstanceType 0
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27@AuthorizedLUAApp 0
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27@DeploymentFlags 3
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27@Clients :?
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27\SourceList
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27\SourceList@PackageName Exterminate3.msi
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27\SourceList@LastUsedSource n;1;C:\Program Files\PCPitstop\PC Matic\uninstall\
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27\SourceList\Media
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27\SourceList\Media@1 ;
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27\SourceList\Net
Reg HKLM\SOFTWARE\Classes\Installer\Products\5F5A11986A6013941B391EBFE0AC3F27\SourceList\Net@1 C:\Program Files\PCPitstop\PC Matic\uninstall\
Reg HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\7E29B30FF20A7574E8E33A18BE6E8512
Reg HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\7E29B30FF20A7574E8E33A18BE6E8512@5F5A11986A6013941B391EBFE0AC3F27
Reg HKLM\SOFTWARE\Classes\Installer\Win32Assemblies\Global@Microsoft.MSXML2,publicKeyToken="6bd6b9abf345378f",version="4.20.9818.0",type="win32",processorArchitecture="x86" _[X'TOMST?Ki,zyhLGyL>2INR3`I9&?giP6x,s{bo?grjNLln*a9jep!hbk@K`MSXMLSXS>2INR3`I9&?giP6x,s{bo?
Reg HKLM\SOFTWARE\Classes\Installer\Win32Assemblies\Global@Microsoft.MSXML2R,publicKeyToken="6bd6b9abf345378f",version="4.1.0.0",type="win32",processorArchitecture="x86" _[X'TOMST?Ki,zyhLGyL>ITzaC}zyQ@Zq3QlMCb0e?grjNLln*a9jep!hbk@K`MSXMLSXS>ITzaC}zyQ@Zq3QlMCb0e?
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5B05A292-AA87-F669-5534-5CB10F6F4AA6}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5B05A292-AA87-F669-5534-5CB10F6F4AA6}@abgfehiohobbopmaboidapfidgofnmfnbj 0x65 0x62 0x67 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5B05A292-AA87-F669-5534-5CB10F6F4AA6}@bbgfehiohobbopmabohdlaffeeinmdfiipib 0x61 0x62 0x64 0x64 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 05: copy of MBR

---- EOF - GMER 1.0.15 ----

[OCD]

Hello leonkun

• You may want to print out these instructions for reference prior to proceeding.
• This solution is specifically tailored for this particular problem, please do not attempt to use this solution on another computer.
• If you have any questions, or are uncertain about any steps please ask 'before' proceeding.

- - - - - Next - - - - -

Please download ad13's win32ksys to your desktop

• Double click to run it
• A black window will appear, let this run
• On completion a log will appear on your desktop called Win32kDiag.txt please post this in your next reply.

- - - - - Next - - - - -

Please run RootRepeal

• Download RootRepeal from one of the following locations and save it to your desktop.
  Here
  Here
  or Here
  
  
• Open on your desktop.
  
  
• Click the tab.
  
  
• Click the button.
  
  
• In the Select Scan dialog, check
  
  
  
  
• Push Ok
  
• Check the box for your main system drive (Usually C:), and press OK.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.

- - - - - Next - - - - -

Please download DDS from one of the following links and save it to your desktop.

• • DDS.scr
  • DDS.pif
• Disable any script blocking protection (How to Disable your Security Programs)
• Double click DDS icon to run the tool (may take up to 3 minutes to run)
• When done, DDS.txt will open.
• After a few moments, attach.txt will open in a second window.
• Save both reports to your desktop.

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• Win32kDiag.txt
• RootRepeal.txt
• Post the contents of the DDS.txt report in your next reply
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.
• Tell me how your computer is running at the moment.

[leonkun]

Currently none of my anti virus software is working at the moment BitDefender, Antisuperspyware, Malwarebytes' Anti-Malware Computer is acting much slower than usual I have provided Rootreal, and the win32diag, for some reason the dds keeps responding " This tool does not support your operating system" ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/09/05 05:14 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: aujasnkj.sys Image Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\aujasnkj.sys Address: 0xEEBA6000 Size: 84352 File Visible: No Signed: - Status: - Name: dump_atapi.sys Image Path: C:\windows\System32\Drivers\dump_atapi.sys Address: 0xEF6BA000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\windows\System32\Drivers\dump_WMILIB.SYS Address: 0xF7AA2000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\windows\system32\drivers\rootrepeal.sys Address: 0xEE700000 Size: 49152 File Visible: No Signed: - Status: - Name: uphcleanhlp.sys Image Path: C:\windows\system32\Drivers\uphcleanhlp.sys Address: 0xEEFF7000 Size: 8960 File Visible: No Signed: - Status: - Name: win32k.sys:1 Image Path: C:\windows\win32k.sys:1 Address: 0xF78AC000 Size: 20480 File Visible: No Signed: - Status: - SSDT ------------------- #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xeeea9bce #: 128 Function Name: NtOpenThread Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xeeea9cbc #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xeeea9b32 #: 263 Function Name: NtUnloadKey Status: Hooked by "C:\windows\system32\Drivers\uphcleanhlp.sys" at address 0xeeff76d0 ==EOF== Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\windows'... Found mount point : C:\windows\$hf_mig$\KB956744\KB956744 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\$hf_mig$\KB961501\KB961501 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\$hf_mig$\KB968389\KB968389 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\$hf_mig$\KB968537\KB968537 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\$hf_mig$\KB970238\KB970238 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\$hf_mig$\KB971633\KB971633 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\$hf_mig$\KB971657\KB971657 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\$hf_mig$\KB973869\KB973869 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\addins\addins Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\assembly\NativeImages_v2.0.50727_32\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\configuration\configuration Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\msdownld.tmp\msdownld.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\pchealth\ERRORREP\ERRORREP Mount point destination : \Device\__max++>\^ Found mount point : C:\windows\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Cannot access: C:\windows\pchealth\helpctr\binaries\HelpSvc.exe [1] 2008-04-14 07:00:00 764416 C:\windows\pchealth\helpctr\binaries\HelpSvc.exe ()

[OCD]

leonkun,

You have a nasty Rootkit onboard.

We need to run the following command to fix some malware related changes.

• Click on Start -> Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:
  

  "%userprofile%\desktop\win32kdiag.exe" -f -r

• When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

- - - - - Next - - - - -

Download and run a batch file (peek.bat):

• Download peek.bat from the download link below and save it to your Desktop.
• Download peek.bat
• Double-click peek.bat to run it.
• A black Command Prompt window will appear shortly: the program is running.
• Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.

- - - - - Next - - - - -

Download Combofix from either of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
• Tools > >Options > >Main tab
• Set to "Always ask me where to Save the files".

Link 1
Link 2

During the download, rename Combofix to Combo-Fix as follows:

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

-----------------------------------------------------------

• Double click on Combo-Fix.exe & follow the prompts.
  
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
  **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  
  

  -----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

NOTE: ComboFix shall request to install the Recovery Console, please ALLOW it to do so.

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• Win32kDiag.txt
• Log.txt
• Combo-Fix.txt log

[leonkun]

"%userprofile%\desktop\win32kdiag.exe" -f -r
Windows cannot find 'C:\Documents and Settings\Owner\Desktop\win32kdiag.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click start button, and then click search



Volume in drive C has no label.
Volume Serial Number is 6854-58E3

Directory of C:\WINDOWS\system32

04/14/2008 07:00 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/20/2009 01:18 PM 407,552 netlogon.dll

Directory of C:\WINDOWS\system32

04/14/2008 07:00 AM 62,464 eventlog.dll
3 File(s) 651,264 bytes

Total Files Listed:
3 File(s) 651,264 bytes
0 Dir(s) 172,575,883,264 bytes free


Combo Fix i Get this Erro
!! ALERT !! It is NOT SAFE to contine!

The contents of the ComboFix Package has been compromised.
Please download a fresh copy from:

Http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infected with a file patching virus 'Virut'

[OCD]

leonkun,

Please check your desktop for the Win32kDiag.exe file and delete it if it is present.

Download a fresh copy: It MUST be downloaded to your Desktop!

Download Win32kDiag from any of the following locations and save it to your Desktop.

• Download Win32kDiag (Win32kDiag.exe) - #1
• Download Win32kDiag (Win32kDiag.exe) - #2
• Download Win32kDiag (Win32kDiag.exe) - #3

- - - - - Next - - - - -

• Click on Start -> Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:
  

  "%userprofile%\desktop\win32kdiag.exe" -f -r

• When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

- - - - - Next - - - - -

Please go to: VirusTotal

• 
  
• Click the Browse button and search for the each of following files: (one [1] at a time)
  

  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\explorer.exe
  C:\WINDOWS\system32\spoolsv.exe
  c:\windows\system32\ctfmon.exe
  c:\windows\system32\userinit.exe

• Click Open
• Then click Send File (do this for each file)
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now"

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• Win32kDiag.txt
• Results from the VirusTotal Scans (5 files)

[leonkun]

Here is what i got, virus total keeps redirecting the page!! i believe my computer also as the google redirect virus Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\windows'... Found mount point : C:\windows\$hf_mig$\KB956744\KB956744 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\$hf_mig$\KB956744\KB956744 Found mount point : C:\windows\$hf_mig$\KB961501\KB961501 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\$hf_mig$\KB961501\KB961501 Found mount point : C:\windows\$hf_mig$\KB968389\KB968389 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\$hf_mig$\KB968389\KB968389 Found mount point : C:\windows\$hf_mig$\KB968537\KB968537 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\$hf_mig$\KB968537\KB968537 Found mount point : C:\windows\$hf_mig$\KB970238\KB970238 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\$hf_mig$\KB970238\KB970238 Found mount point : C:\windows\$hf_mig$\KB971633\KB971633 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\$hf_mig$\KB971633\KB971633 Found mount point : C:\windows\$hf_mig$\KB971657\KB971657 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\$hf_mig$\KB971657\KB971657 Found mount point : C:\windows\$hf_mig$\KB973869\KB973869 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\$hf_mig$\KB973869\KB973869 Found mount point : C:\windows\addins\addins Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\addins\addins Found mount point : C:\windows\assembly\NativeImages_v2.0.50727_32\Temp\Temp Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\assembly\NativeImages_v2.0.50727_32\Temp\Temp Found mount point : C:\windows\assembly\temp\temp Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\assembly\temp\temp Found mount point : C:\windows\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\assembly\tmp\tmp Found mount point : C:\windows\Config\Config Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\Config\Config Found mount point : C:\windows\configuration\configuration Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\configuration\configuration Found mount point : C:\windows\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\Connection Wizard\Connection Wizard Found mount point : C:\windows\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\CSC\d1\d1 Found mount point : C:\windows\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\CSC\d2\d2 Found mount point : C:\windows\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\CSC\d3\d3 Found mount point : C:\windows\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\CSC\d4\d4 Found mount point : C:\windows\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\CSC\d5\d5 Found mount point : C:\windows\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\CSC\d6\d6 Found mount point : C:\windows\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\CSC\d7\d7 Found mount point : C:\windows\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\CSC\d8\d8 Found mount point : C:\windows\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\ime\imejp\applets\applets Found mount point : C:\windows\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\ime\imejp98\imejp98 Found mount point : C:\windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Found mount point : C:\windows\java\classes\classes Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\java\classes\classes Found mount point : C:\windows\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\java\trustlib\trustlib Found mount point : C:\windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Found mount point : C:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Found mount point : C:\windows\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\msapps\msinfo\msinfo Found mount point : C:\windows\msdownld.tmp\msdownld.tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\msdownld.tmp\msdownld.tmp Found mount point : C:\windows\pchealth\ERRORREP\ERRORREP Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\pchealth\ERRORREP\ERRORREP Found mount point : C:\windows\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Removing mount point : C:\windows\pchealth\helpctr\BATCH\BATCH Cannot access: C:\windows\pchealth\helpctr\binaries\HelpSvc.exe Attempting to restore permissions of : C:\windows\pchealth\helpctr\binaries\HelpSvc.exe [1] 2008-04-14 07:00:00 764416 C:\windows\pchealth\helpctr\binaries\HelpSvc.exe ()

[OCD]

leonkun,

Open Notepad:

• Click the Start button, click Run
• In the run box type notepad
• Click OK
• In notepad, Click "Format" and be certain that Word Wrap is not checked.
• Copy and paste all of the text in the code box below into the Notepad, Do Not copy the word CODE

@echo off
sc config eventlog start= disabled
del %0

In Notepad

• Click File, Save as..., and set the Save in to your Desktop
• In the filename box, type (including quotation marks) as the filename: "fix.txt"
• Click Save

It should look like this:

Double click on fix.bat & allow it to run.

- - - - - Next - - - - -

Reboot your machine

- - - - - Next - - - - -

In Windows Explorer, navigate to this folder
C:\Windows\System32 folder

In the right hand panel, locate eventlog.dll, right click on it and select delete

- - - - - Next - - - - -

Locate the copy of ComboFix I had you download earlier and delete it and download a fresh copy.

Download Combofix from either of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
• Tools > >Options > >Main tab
• Set to "Always ask me where to Save the files".

Link 1
Link 2

During the download, rename Combofix to Combo-Fix as follows:

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

-----------------------------------------------------------

• Double click on Combo-Fix.exe & follow the prompts.
  
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
  **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  
  

  -----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

NOTE: ComboFix shall request to install the Recovery Console, please ALLOW it to do so.

- - - - - Next - - - - -

It seems that your Win32kDiag log you posted is not complete.

Locate the Win32kDiag.txt file on your desktop and double click on it to open it in Notepad

Right click on the text and click Select All
Right click on the highlighted text and select Copy
Paste into your next reply

- - - - - Next - - - - -

On your next post please provide the following:

• Win32kDiag log
• Combo-Fix.txt log

[leonkun]

OCD thankyou for all of the help really but i just decided to backup all my files that were necessary, and pop in my windows xp restore disk it was kinda frustrating to last a few days with out my computer work do you have a list of recommend programs i should use in order to protect me from any further infections? as again, thankyou

[OCD]

leonkun,

Since you have decided to reformat and reinstall your operating system here is a link that you should find helpful.

How to Reformat and Reinstall your Operating System

Be sure to read though the steps prior to beginning the process to make sure you understand what to do and in what order.

After you have completed the R & R you can use the information here to help secure your computer in the future.

I strongly recommend that you thoroughly scan your backups at Kaspersky before you reinstall them.

Don't forget to get the following:

• All the latest critical Windows updates, including Service Packs - easily done by setting your computer for Automatic Updates
• One (1) Anti-Virus
• One (1) Firewal

Good Luck with the R & R.

[oldman960]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.